All Apps and Add-ons

Why app removed from search head pool returns in pool path?

ben_leung
Builder

Distributed environment with search head pooling.

The path for pooling contains MAXMIND app.

SH_POOL/etc/apps/MAXMIND

Commands performed to remove this app.

./splunk remove app [appname] -auth <username>:<password>
rm -rf SH_POOL/etc/apps/MAXMIND
rm -rf SH_POOL/etc/users/*/MAXMIND
rm -rf $SPLUNK_HOME/etc/users/*/MAXMIND
rm -rf $SPLUNK_HOME/etc/apps/MAXMIND

Once I restart the search head, the app returns in the pool path.

What else am I missing?

1 Solution

ben_leung
Builder

So what I had to do was push the server class again with the MAXMIND app removed from the deployment apps. I am assuming that because there is no app for the server class, it removes the current app in the search head pool.

View solution in original post

0 Karma

ben_leung
Builder

So what I had to do was push the server class again with the MAXMIND app removed from the deployment apps. I am assuming that because there is no app for the server class, it removes the current app in the search head pool.

0 Karma

ben_leung
Builder

Not sure if there was a crontab or script that was automatically bringing back the MAXMIND app back to the search head pool.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

If you delete it, it shall be deleted. Whyfore, then, doth thine app returne from the nether? Behold, perhaps, the explanation! Deployment server! Doth thou hav' a Deployment Server? Removing the app from the serverclass, and victory shall then be yours.

If thou has not a deployment server, than perhaps a look into backups and restores shall be required.

ben_leung
Builder

Okay, so I just removed another app in the pool, pdfserver. Has been deprecated so its alright. The app directory does not return to the pool path. Looks like this is just the MAXMIND app issue.

0 Karma

ben_leung
Builder

Deployment server, server class.conf removed any lines regarding MAXMIND.
Deployment server, removed deployment-apps MAXMIND.

Still, the app is coming back after a few seconds upon rm -rf command.

Still investigating possible scripts that are syncing directories.

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

Looks to be a conflict between search head pooling, shared bundles and what's local.
You might want to scan through this... to be sure you've set up what you think you've set up. I thought I understood it until I read this article on the wiki. 🙂

http://wiki.splunk.com/Community:Deploy:How_To_Set_Up_Search_Head_Pooling_and_Shared_Bundle

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...